North Korean Group Kimsuky Escalates Cyber Espionage with Gomir Linux Malware

The North Korean espionage group Kimsuky, also known as APT43, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima, has intensified its cyber operations against South Korean organizations. It leverages malware to target government entities as well as the supply chain, expanding its intrusion capabilities. This state-sponsored group, linked to North Korea's Reconnaissance General Bureau (RGB), has shifted its focus to exploiting software supply chains, increasing the risk to global security. Symantec's Threat Hunter team reports that Kimsuky's recent campaigns involve deploying advanced Linux malware Gomir, alongside other tools like Troll Stealer and GoBear, to infiltrate a variety of targets, including government and private sector entities.

Kimsuky's use of Gomir, a Linux variant of the previously known GoBear backdoor, highlights the group's adaptability and the growing complexity of their operations. According to Symantec's Threat Hunters, "Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir." Gomir is designed to establish persistent access and perform a wide array of malicious activities. Upon execution, if Gomir is run with the "install" command line argument and operates under root privileges, it copies itself to /var/log/syslogd to maintain persistence. It then sets up a systemd service named "syslogd" by creating a service file at /etc/systemd/system/syslogd.service. The service starts the malware on boot and keeps it running, with commands like systemctl daemon-reload, systemctl reenable syslogd, and systemctl start syslogd ensuring the service remains active.

For systems where Gomir does not have root access, it uses crontab for persistence. It creates a helper file cron.txt, combines it with existing crontab entries, and updates the crontab with this new configuration. This method ensures Gomir runs and persists following reboots. Once installed, Gomir communicates with its command-and-control (C2) server using HTTP POST requests to the malware's configured C2 path at an index.php endpoint. This communication signals its readiness to receive further instructions and execute additional commands.

Symantec's analysis reveals that Gomir shares a considerable amount of its codebase and operational functionality with GoBear, illustrating a direct lineage between these malware families. Symantec Threat Hunters explain, "The commands are almost identical to those supported by the GoBear Windows backdoor." Both malware families are capable of executing a range of operations from file manipulation and system surveillance to executing arbitrary commands and proxying network connections. These similarities show Kimsuky's strategy of reusing and adapting existing tools to enhance their operational efficiency and evade detection.

Kimsuky's latest campaign, which utilizes Gomir along with other malware tools, underscores their ongoing involvement in cyber espionage. Organizations within Kimsuky's target scope should ensure that their cybersecurity defenses are robust and up-to-date. Symantec's analysis comes after multiple advisories from US government agencies, which have highlighted Kimsuky's exploitation of vulnerabilities in DMARC policies. Additionally, the South Korean National Police agency has attributed activities of Kimsuky, along with other North Korean threat groups like Lazarus and Andariel, to attacks against South Korea's defense industry, resulting in the theft of technical data.